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This work presents a formalization of the theorem of existence of most general unifiers in first-order 
signatures in the higher-order proof assistant PVS. The distinguishing feature of this formalization 
is that it remains close to the textbook proofs that are based on proving the correctness of the well- 
known Robinson's first-order unification algorithm. The formalization was applied inside a PVS 
development for term rewriting systems that provides a complete formalization of the Knuth-Bendix 
Critical Pair theorem, among other relevant theorems of the theory of rewriting. In addition, the 
formalization methodology has been proved of practical use in order to verify the correctness of 
unification algorithms in the style of the original Robinson's unification algorithm. 

1 Introduction 

A fomialization in the proof assistant PVS of the theorem of existence of most general unifiers (mgu's) 
in first-order theories is presented. There are several applications of this theorem on computational logic, 
which range from the correctness of first-order resolution [19], the correctness of the Knuth-Bendix 
completion algorithm [ 15] to the correctness of principal type algorithms [ 13 1 and their implementations 
in programming and specification languages. This well-known result is stated as follows: 

Theorem 1 (Existence of mgu's) Let s and t be terms. Then, if s and t are unifiable then there exists an 
mgu of s and t. 

The analytic proof of this theorem is constructive and the first proof was introduced by Robinson 
himself in f\9\ . In Robinson's seminal paper, the unification algorithm either gives as output a most 
general unifier for each unifiable pair of terms, or fails when there are no unifiers. Essentially, the proof 
of correctness of this algorithm consists in, firstly, proving that the algorithm always terminates and, 
secondly, proving that, when it terminates and returns an mgu it implies the existence theorem. 

Several variants of this first-order unification algorithm appear in well-known textbooks on compu- 
tational and mathematical logic, semantics of programming languages, rewriting theory, type theory etc. 
(e.g., llT7l l9ll6l[3ll2l[T4l). Since the presented formalization follows the classical proof schema, only a 
sketch of this proof will be given here. 

The development of the PVS theory unification was motivated by the formalization of a PVS library 
for term rewriting systems lUTI in which the theorem of existence of mgu's is essential in order to obtain 
complete formalizations of relevant results such as the well-known Knuth-Bendix(-Huet) Critical Pair 
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theorem [|12 |. In addition to this application of the formalization of the theorem of existence of mgu's, 
in m it was reported a general verification methodology of first-order unification algorithms, illustrated 
through the formalization of the correctness of a greedy version of Robinson's unification algorithm, 
that follows the lines of the formalization of the theorem of existence of mgu's presented in this paper, 
in order to check termination and soundness of the algorithm. Essentially, in that work it is illustrated 
how the verification of completeness of a unification algorithm depends on the particular way in that the 
algorithm deals with the detection of non unifiable inputs. But also, in the exercise of formalization of 
correctness of efficient unifications algorithms, it is of main relevance the specific data types and refined 
strategies used to efficiently detect and solve differences appearing among the terms being unified. 

In Sec. [21 the necessary analytic concepts (terms, subterms, positions and substitutions) together with 
their corresponding specifications in PVS are given. The formalization of the theorem of existence of 
mgu's is presented in Sec. |3] Also in Sec. |3]it is illustrated how specific unification algorithms a la Robin- 
son are verified using this methodology. In the sequel related work and conclusions are presented. The 
PVS files of the formalization of the theorem of existence of mgu's and verification of Robinson's style 
unification algorithms are available as part of the theory for term rewriting systems (trs) in the NASA 
LaRC PVS libraries http://shemesh.larc.nasa.gov/fm/ftp/larc/PVS-library/pvslib.html. 

2 Specification of terms, positions, subterms and substitutions 

Although it is supposed familiarity with unification and its standard notations (e.g. as in ||2]|3l), analytical 
concepts will be presented together with their associated specifications in PVS. 

Consider a signature £ in which function symbols and their associated arities are given as well as an 
enumerable set V of variables. 

Definition 1 (Well-formed terms) The set of well-formed terms, denoted by T^L^V), over the signature 
Z and the set V of variables is recursively defined as: i) x E V is a well-formed term and ii) for each 
n-ary function symbol f (zT, and well-formed terms ti,. . . ,t„, /(?i ,... ,t„) is a well-formed term. 

Note that constants are 0-ary well-formed terms. 

In the sequel, for brevity "terms" instead of "well-formed terms" will be used. 

The hierarchy of the theory unification is presented in Fig. [T] This is part of the theory trs for 
term rewriting systems presented in lITTI . which includes also the subtheory ars for abstract reduction 
systems ifTOl . The most relevant notions related with unification are inside the subtheories positions , 
subterm and substitution. The PVS notions used for specifying these basic concepts are taken from 
the prelude theories for f inite_sequences and f inite_sets. Finite sequences are used to specify 
well-formed terms which are built from variables and function symbols with their associated arities. 
This is done by application of the PVS DATATYPE mechanism which is used to define recursive types. 

term [variable: TYPE+, symbol: TYPE+, arity: [symbol -> nat]] : DATATYPE 
BEGIN vars(v: variable) : vars? 

app(f : symbol, args : {args : f inite_sequence [term] I args ' length=arity (f )}) : app? 
END term 

Notice that the fact that a term is well-formed, that is, that function symbols are applied to the 
right number of arguments is guaranteed by typing the arguments of each function symbol f as a finite 
sequence of length arity (f). 

Finite sets and sequences are also used to specify sets of subterms and sets of term positions, as is 
shown below. 
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Figure 1: Hierarchy of unification inside the theory trs 



2.1 The subtheories positions and subterm 

As usual, positions of a term are defined as finite sequences of positive naturals, which simplifies the 
definitions of subterms and occurrences. A dot "•" is used for the operation of concatenation of two 
naturals m and n, m-n, and for the concatenation of the elements in sets of naturals; that is A'^ -M := 
{n-m\n^N ,m^ M]. For simplicity n ■ M denotes {«} • M. 

Definition 2 (Positions, subterms, occurrences) The set of positions of a term t in T{L,V), denoted as 
Pos{t), is defined inductively as i) Pos{x) := {e} and ii) Pos{f{ti,...,t„)):={e} U [Jl^yi- Pos{ti), 
where e denotes the empty sequence that represents the root position of the term t. The subterm at a 
given position n ^ Pos{t) of a term t is defined inductively as i) ?|e := t and ii) f{ti,. .. ,tn)\i.7i := ti\j^. 

The set of subterms of a term t is the set {t\j^ \ n G Pos{t)}. 

Whenever s = t\ji, it is said that there is an occurrence of the subterm soft at position K. The set of 
positions of occurrences of a term s in t is given by the set {k \ t\ji = s}. 

The (finite) set of positions positionsOF of a term t is recursively specified on its structure as below, 
where only_empty_seq is a set containing an empty finite sequence only, that is the set containing the 
root position only. 

positionsOF(t : term): RECURSIVE positions = 
(CASES t OF vars(t): onIy_empty_seq, 

app(f, St): IF length(st) = THEN only_empty_seq 
ELSE union(only_empty_seq, 

IUnion( (LAMBDA (i: upto?(length(st) ) ) : 
catenate(i, positionsOF(st (i-1) ) )))) 
ENDIF ENDCASES) 
MEASURE t BY « 
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where the operator lUnion builds the union of all sets of positions of the arguments of a functional 
term app (f , st) in which f is the name of the function and st is the sequence of arguments, that is a 
sequence of length equal to the arity of f . The positions of the i''' argument are prefixed by i in order to 
build the sequence of positions inside this argument relative to the whole term. 

Several necessary results on terms, subterms and positions are formalized by induction on the struc- 
ture of terms following the lines of this abstract datatype specification. For instance, properties, such as 
the one that states that the set of positions of a term is finite as well as the one that states that the set of 
variables occurring in a term is finite (lemma vars_of _term_f inite in the subtheory subterm), and 
that terms with the same heading symbol (applications) have the same number of arguments, presented 
below, are proved by structural induction on the abstract datatype for terms. 

positions_of_terms_f inite : LEMMA is_f inite (positionsOF(t)) 

equal_symbol_equal_length_arg : LEMMA 
FORALL (s, t: term, fs, ft: symbol, 

ss:{args: f inite_sequence [term] I args' length = arity (fs)}, 
st:{argt: f inite_sequence [term] I argt' length = arity (ft)}) : 
(s = app(fs, ss) AND t = app(ft,st) AND fs = ft) => ss' length = st' length 

For p G Pos{t,), in the subtheory subterm, the subterm of t at position p also is specified in a 
recursive way (now on the length of p), as follows: 

subtermOF(t: term, (p: positions? (t) )) : RECURSIVE term = 
IF length(p) = THEN t ELSE LET st = args(t), i = first(p), q = rest(p) IN 
subtermOF(st(i-l) , q) ENDIF 
MEASURE length (p) 

where first and rest are constructors that return, respectively, the first element and the rest of a finite 
sequence, and positions? (t) is the (dependent) type of all positions in t, which is specified as follows: 

positions? (t : term): TYPE = {p : position I positionsOF(t) (p)} 

Other results are formalized by induction on the length of (sequences representing) positions; for 
instance the ones below stating the equality t\p,q = {t\p)\q and that whenever /? is a position of t and q a 
position oit\p, p.q is a position of t, are proved by structural induction on terms. 

pos_subterm: LEMMA FORALL (p, q: position, t: term): 

positionsOF(t) (p o q) => subtermOF(t, p o q) = subtermOF(subtermOF(t , p) , q) 

pos_o_term: LEMMA FORALL (p, q: position, t: term): 

positionsOF(t) (p) & positionsOF(subtermOF(t , p))(q) => positionsOF(t) (p o q) 

2.2 The SM^^^eorj substitution 

By using the definition of position, the notion of replacement of a subterm of a term is stated easily. 

Definition 3 (Replacement of subterms) Consider ? G r(r, V ) and % G Pos{t). The term resulting from 
replacing the subterm at position n oft by the term s is denoted by t[n -^ s]. 

Alternatively, the notation t[s]ji is also frequenriy used in the Uterature. 

Definition 4 (Substitution) A substitution a is defined as a function from V to r(Z,y), such that the 
domain of o, defined as the set of variables {x | x G V^xo ^ x} and denoted by Dom[o), is finite. 
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Definition 5 (Homomorphic extension of a substitution) The homomorphic extension of a substitu- 
tion O, denoted as d, is inductively defined over the set TiY.^V) as i) xd .= xo and ii) f{t\,. .. ,t„)o := 
f{ti&,...,tna). 

Given the notion of homomorphic extension, it is possible to define substitution composition. 

Definition 6 (Composition of substitutions) Consider two substitutions a and T, their composition o o 
T is defined as the substitution a o t such that Dom{o o t) = Dom{o) U Dom{x) and for each variable x 
in this domain, x{o o t) := (xT)d. 

The subtheory substitution specifies the algebra of substitutions. In this subtheory the type of 
substitutions is built as functions from variables to terms sig : [V -> term] , whose domain is fi- 
nite: Sub?(sig): bool = is_f inite(Dom(sig) ) and Sub: TYPE = (Sub?). Also, the notions 
of domain, range, and the variable range are specified, closer to the usual theory of substitution as pre- 
sented in well-known textbooks (e.g., [2]). These notions are specified as follows: 

Dom(sig): set[(V)] = {x: (V) I sig(x) /= x} 

RaLn(sig) : set [term] = {y: term I EXISTS (x: (V)): member(x, Dom(sig)) & y = sig(x)} 

VRan(sig): set[(V)] = IUnion(LAMBDA (x I Dom(sig) (x) ) : Vars(sig(x) ) ) 

where (V) denotes the type of all terms that are variables and Vars(t) denotes the set of all variables 
occurring in a term t. 

Also, in the subtheory substitution the homomorphic extension ext(sig) of a substitution sig 
is specified inductively over the structure of terms: 

ext(sigma) (t) : RECURSIVE term = 
CASES t OF 

vars(t): sigma(t) , 

appCf, St): IF length(st) = THEN t ELSE LET sst = (# length := st'length, 

seq := (LAMBDA (n: below [st ' length] ) : ext (sigma) (st (n) ) )#) IN app(f, sst) ENDIF 
ENDCASES 
MEASURE t BY « 

The composition of two substitutions, denoted by comp, is specified as 

comp(sigma, tau)(x: (V)): term = ext (sigma) (tau(x) ) 

In standard rewriting notation, the homomorphic extension of a substitution a from its domain of 
variables to the domain of terms is denoted by a, but to simplify notation, usually textbooks do not 
distinguish between a substitution a and its extension a. In the formalization this distinction should be 
maintained carefully. For instance observe the following lemma and its formalization. 

Lemma 2 Let s be term, p a position of s and o a substitution. Then {so) \p = {s\p)d. 

subterm_ext_commute : LEMMA FDRALL (p: position, s: term, sigma: Sub): 

positionsOF(s) (p) => subtermDF (ext (sigma) (s) , p) = ext (sigma) (subtermOF(s, p)) 

Several important results useful for the development of subtheory unification were formalized in the 
subtheory substitution, e.g., the property that states that the application of a homomorphic extension 
of a substitution preserves the original set of positions of the instantiated term, formalized as: 

ext_preserv_pos : LEMMA FDRALL (p: position, s: term, sigma: Sub): 
positionsOF(s) (p) => positionsOF(ext (sigma) (s) ) (p) 
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The lemma below formalizes the set of positions of the instantiation of a term by a substitution. 

positions_of _ext : LEMMA positionsOF(ext (sigma) (t) ) = 

unioii({p I positionsOF(t) (p) & (NOT vars?(subtermOF(t , p)))}, 

{q I EXISTS pi, p2: q = pi o p2 AND positionsOF(t) (pi) AND 
vars?(subtermOF(t, pi)) AND positioiisOF(ext (sigma) (subtermDF(t, pl)))(p2)}) 

Additional formalized lemmas, presented below, state that all variables in the domain but not in the 
range of a substitution a disapear in all a instantiated terms and that non- variable subterms, i.e. function 
symbols, remain untouched after any possible instantiation. 

vars_subst_not_in: LEMMA FORALL t, sigma, x: 

Dom(sigma) (x) AND (FORALL r: Raii(sigma) (r) => NOT member(x, Vars(r))) 
=> NOT member (x, Vars(ext (sigma) (t) ) ) 

ext_preserve_symbol : LEMMA FORALL (s : term, sig:Sub, p:position I positioiisOF(s) (p) ) : 
app?(subtermOF(s , p)) => f (subtermOF(s , p)) = f (subtermOF(ext (sig) (s) , p)) 

3 Formalization of first-order unification 

The formalization of the existence of first-order mgu's is presented and then it is explained how the 
formalization technology was applied to verify a specific unification algorithm. Again, definitions and 
their corresponding specifications are included. The theory unification consists of 57 lemmas from 
which 30 are type proof obligations (TCCs) that are lemmas automatically generated by the prover during 
the type checking. The specification file has 273 lines and its size is 9.8 KB and of the proof file has 
11540 lines and 657 KB. 

Two terms s and t are said to be unifiable whenever there exists a substitution o such that sd = to. 

Definition 7 (Unifiers) The set of unifiers of two terms s and t is defined as U{s,t) := {o \ so = to}. 

Definition 8 (More general substitutions) Given two substitutions o and T, o is said to be more gen- 
eral than T whenever, there exists a substitution y such that 70 a = T. This is denoted as o <T. 

Definition 9 (Most General Unifier) Given two terms s and t such that U{s,t) y^®. A substitution o 
such that for each 1 G U{s,t), o <T, is said to be a most general unifier of s and t. For short it is said 
that O is an mgu of s and t. 

Now, it is possible to state the theorem of existence of mgu's. 

Theorem 3 (Existence of mgu's) Let s and t be terms in T{L,V) built over a signature Z. Then, 
U{s,t) 7^ implies that there exists an mgu of s and t. 

The analytic proof of this theorem is constructive and the first introduced proof was presented by 
Robinson himself in fT9l. In Robinson's paper, a unification algorithm was introduced, which either 
gives as output a most general unifier for each unifiable pair of terms or fails when there are no unifiers. 
The proof of correctness of this algorithm, which consists in proving that the algorithm always terminates 
and that when it terminates it gives an mgu implies the existence theorem. Several variants of this first- 
order unification algorithm appear in well-known textbooks on computational and mathematical logic, 
semantics of programming languages, rewriting theory, etc. (e.g., lfT7l l9ll6ll3ll2l[T4l). Since the presented 
formalization follows the classical proof schema, no analytic presentation of this proof is given here. 

Basic notions on unification are specified straightforwardly in the language of PVS. For instance the 
notion of most general substitution is given as 
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<=(theta, sigma) : bool = EXISTS tau: sigma = compCtau, theta) 

From this specification, one proves that the relation <= is a pre-order (i.e., reflexivity and transitivity). 
The notions of unifier, unifiable, the set of unifiers of two terms and a most general unifier of two 
terms are specified as 

unifier (sigma) (s ,t) : bool = ext (sigma) (s) = ext (sigma) (t) 

unifiable (s ,t) : bool = EXISTS sigma: unifier (sigma) (s,t) 

U(s,t): set [Sub] = {sigma: Sub I unif ier(sigma) (s ,t)} 

mgu(theta) (s ,t) : bool = 

member (theta, U(s,t)) & FORALL sigma: member (sigma, U(s,t)) => theta <= sigma 

Several auxiliary lemmas related with the previous notions were also formalized as the ones pre- 
sented below: unifier_o formalizes the fact that, whenever a G U{sd,td), God ^ U{s,t); mgu_o, 
that whenever p>G, pod>ood; unif ier_and_sub, that instantiations of unifiers are unifiers; 
idemp_mgu_iff _all_unif ier that the idempotence property of mgu's holds, and; unif iable_ternis_ 
unif iable_args formalizes the fact that corresponding subterms of unifiable terms are unifiable, . 

unifier_o: LEMMA 
member(sig, U(ext (theta) (s) , ext (theta) (t) )) => member (comp(sig, theta) , U(s,t)) 

mgu_o: LEMMA sig <= rho => comp(sig, theta) <= comp(rho, theta) 

unif ier_and_subs: LEMMA 
member (theta, U(s,t)) => (FDRALL (sig: Sub): member (comp( sig, theta), U(s,t))) 

idemp_mgu_iff_all_unif ier: LEMMA FORALL (theta: Sub I member (theta, U(s,t))): 
mgu(theta) (s ,t) & idempotent_sub? (theta) <=> 
(FORALL (sig: Sub I member(sig, U(s,t))): sig = comp(sig, theta)) 

unif iable_terms_unif iable_args : LEMMA 

FORALL (s: term, t: term, p: position I positionsOF(s) (p) & positionsOF(t) (p)) : 
member(sig, U(s,t)) => member(sig, U(subtermOF(s, p) , subtermOF(t, p))) 

The unification algorithm receives two unifiable terms as arguments and is specified as the function 
unif ication_algorithm, presented below. This function together with the two auxiliary functions 
sub_of _frst_dif f and resolving_dif f , to be explained in the remaining of this section, conform the 
kernel of the unification specified mechanism. 

unif ication_algorithm(s : term, (t : term I unif iable(s ,t) ) ) : RECURSIVE Sub = 
IF s = t THEN identity ELSE LET sig = sub_of _f rst_dif f (s , t) IN 

comp( unif ication_algorithm( (ext (sig) ) (s) , (ext (sig) (t) ) ) , sig) ENDIF 
MEASURE Card (union (Vars(s), Vars(t))) 

In this specification, the function sub_of _f rst_dif f (s , t) , presented below, gives as result a sub- 
stitution that resolves the first difference (left-most, outer-most in the structure of the terms) between the 
terms s and t, that are unifiable and different terms. In order to generate this substitution, the subterms 
that generate the difference must occur in the same position of s and t, one of these terms must be a 
variable and the other, a term without occurrences of this variable. The unif ication_algorithm re- 
cursive function has a pair of unifiable terms as domain type, given by the parameters s and t, and in 
the interesting case, after encountering the resolving substitution a for the first difference, it returns the 
composition of the result of the recursive call with the arguments so and to and a. 

The functions resolving_diff and sub_of_frst_diff , presented below, have the same type of 
parameters, and the former returns the first (left-most, outer-most) position of conflict between the unifi- 
able and different terms s and t, as previously explained, while the latter returns the substitution that 
solves the conflict at the position generated by the function resolving_dif f . 
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resolving_dif f (s : term, (t : term I unif iable(s,t) & s /= t ) ): RECURSIVE position = 
(CASES s OF 

vars(s): empty_seq, 
app(f, St): IF length(st) = THEN empty_seq 
ELSE (CASES t OF 
vars(t): empty_seq, 
app(fp, stp) : LET k: below [length(stp)] = 
min({kk: below[length(stp)] I 

subtermOF(s,#(kk+l)) /= subtermOF(t ,#(kk+l))» IN 
add_first(k+l, resolving_dif f (subtermOF(s ,#(k+l) ) , subtermDF(t ,#(k+l) ) )) 
ENDCASES) ENDIF ENDCASES) 
MEASURE s BY « 

sub_of _f rst_dif f (s : term , (t : term I unif iable(s,t) & s /= t ) ) : Sub = 
LET k: position = resolving_dif f (s,t) IN 

LET sp = subtermOF(s ,k) , tp = subtermDF(t ,k) IN 

IF vars?(sp) THEN (LAMBDA (x: (V)): IF x = sp THEN tp ELSE x ENDIF) 
ELSE (LAMBDA (x: (V)): IF x = tp THEN sp ELSE x ENDIF) ENDIF 

3.1 Termination 

Notice that the measure of the function unif icatioii_algorithm is the cardinahty of the union of the 
sets of variables occurring in the term parameters s and t. From this measure, the PVS type-checker 
generates an interesting type proof obligation concerning the property of decreasingness of this measure, 
that guarantees the termination of the algorithm for all pairs of unifiable terms. 

unification_algorithm_TCC6: OBLIGATION FORALL (s, (t I unifiable(s, t))): 
NOT s = t => (FORALL (sig: Sub): sig = sub_of _f rst_dif f (s, t) => 

Card (union (Vars(ext (sig) (s) ) , Vars(ext (sig) (t) ) ) ) < Card(union(Vars(s) , Vars(t)))) 

Although this key TCC is automatically generated, it is not automatically proved by PVS. In order to 
prove this TCC, one should first prove the following auxiliary lemma: 

vars_ext_sub_of _f rst_dif f _decrease : LEMMA 
FORALL (s: term, t: term I unifiable(s, t) & s /= t) : 
LET sig = sub_of_frst_diff (s, t) IN 
Card(union( Vars(ext (sig) (s)) , Vars(ext (sig) (t) )) ) < Card(union( Vars(s), Vars(t))) 

To prove the previous lemma, one requires the following additional lemma: 

union_vars_ext_sub_of _frst_dif f : LEMMA 
FORALL (s : term, t : term I unifiable (s, t) & s /= t) : 
LET sig = sub_of _f rst_dif f (s, t) IN union(Vars(ext (sig) (s) ) , Vars(ext (sig) (t) ) ) = 

dif f erence(union( Vars(s), Vars(t)), Dom(sig)) 

The proof of the previous lemma requires that the substitution a, that resolves the first conflict 
between the given terms, maps a variable into a term without occurrences of this variable. From this fact, 
it is possible to guarantee that the mapped variable disappears from the instantiated terms so and to, 
and hence the decreasing property holds. This is formalized as the lemma: 

sub_of_frst_diff_remove_x : LEMMA FORALL (s:term, t:term I unifiable(s, t) & s /= t) : 
LET sig = sub_of_frst_diff (s, t) IN Dom(sig) (x) => 

(NOT member (x, Vars(ext (sig) (s) ) ) ) AND (NOT member (x, Vars(ext (sig) (t) )) ) 
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Two other lemmas, one for s and the other for t, formahze the fact that the variables in the a instan- 
tiated terms are contained in the set of variables occurring in the original terms being unified. 

vars_sub_of _f rst_dif f _s_is_subset_union : LEMMA 

FDRALL (s : term, t : term I unifiable(s, t) & s /= t) : 
LET sig = sub_of_frst_diff (s, t) IN 

subset? (Vars (ext (sig) (s) ) , union( Vars(s), Vars(t))) 

Applying the previous lemmas, it is formalized the fact that the cardinality of the set of variables 
occurring in the terms being unified decreases after resolving each conflict between the terms. 

In the remaining of this section the formalization of lemma union_vars_ext_sub_of _f rst_dif f , 
the lemma presented above, will be explained. After a first step of skolemization and simplifications, the 
following sequent is obtained. 

{-1} sub_of _frst_dif f (s, t) = sig 
I 

{1} union(Vars(ext(sig) (s)) , Vars (ext (sig) (t) )) (x) IFF 
dif f erence(union(Vars(s) , Vars(t)), Dom(sig))(x) 

Note that there is a variable x, resulting from an application of the PVS proof command "decompose- 
equality" that simplifies the equality between sets in the consequent formula into a biconditional, where 
the following assertion is established: x is a member of Vars{sa) U Vars{td) if, and only if, x is a member 
of Vars{s) UVars{t) \Dom{o). At this point, a propositional simplification is applied and the proof is 
divided in two branches, presented below, one for each direction of the biconditional: 



• 



X € Vars{s6) \J'Vars{td) implies x € Vars{s) VJ'Vars{t) \Dom{o). 

After expanding the definitions of difference and union, the following sequent is obtained: 

{-1} Vars (ext (sig) (s)) (x) OR Vars (ext (sig) (t) ) (x) 

[-2] sub_of_frst_diff (s, t) = sig 
I 

{1} (Vars(s)(x) OR Vars(t)(x)) AND NOT Dom(sig) (x) 

Then, after propositional simplification, the proof divides into four branches: 

1. In this case, x G Vars{sd) and one should verify that either x G Vars{s) or x G Vars{t), which 
is done by apphcation of lemma vars_sub_of _frst_dif f _s_is_subset_union. 

2. In this case, x G Vars{s6) and one should verify that x ^ Dom{o), which is done by applica- 
tion of lemma sub_of_frst_diff _remove_x. 

3, 4. These cases are similar to the previous two cases for the term t. 

• X G Vars{s) \J'Vars{t) \Dom{o) implies x G Vars{sd) \J'Vars{td). 

In this branch, after propositional simplification, one should verify that x G Vars{s) implies x G 
Vars{sd) or, x G Vars{t) implies x G Vars{td). This is true because if x ^ Dom{o), then for a 
position K G Pos{s) such that ^l;,: = x, one has {s\n)o = {sd)\ji = x. 

3.2 Soundness 

After establishing the termination of the specified function unif ication_algorithm, its correctness is 
formalized and applied in order to prove the Theorem [T]of existence of mgu's that is specified as: 
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unification: LEMMA unif iable(s,t) => EXISTS theta: mgu(theta) (s ,t) 

This lemma is proved applying the two lemmas below. The first one states that the substitution given 
by the function unif ication_algorithm is, in fact, a unifier and the second one that it is an mgu. 

unif ication_algorithm_gives_unif ier : LEMMA 

unif iable(s ,t) => member (unif ication_algorithm(s , t) , U(s, t)) 

unif ication_algorithm_gives_mg_subs : LEMMA 

member(rho, U(s, t)) => unif ication_algorithm(s, t) <= rho 

The formalization of the lemma unif ication_algorithm_gives_unif ier is done by induction 
on the cardinality of the set of variables occurring in s and t. For proving this lemma three auxiliary 
lemmas are necessary: 

• the lemma vars_ext_sub_of_frst_diff .decrease described in the previous subsection, which 
guarantees that the set of variables decreases; 

• ext_sub_of_frst_diff_unifiable: LEMMA 

FORALL (s: term, t: term I unifiable(s, t) & s /= t) : 

LET sig = sub_of _f rst_dif f (s , t) IN unif iable(ext (sig) (s) , (ext (sig) (t) ) ) 

which states that the instantiations of two different and unifiable terms sd and to with the substi- 
tution (7 that resolves the first conflict between these terms, are still unifiable; and 

• the lemma unif ier_o, presented at the beginning of this section, which states that for any unifier 
6 of so and to, o a is a unifier of s and t. 

The formalization of the lemma unif ication_algorithm^ivesjng_subs is done by induction 
on the cardinality of the set of variables occurring in s and t too. For proving this lemma two auxiliary 
lemmas are applied: the lemma vars_ext_sub_of_frst_diff .decrease and the lemma presented be- 
low, which states that for each unifier p of s and t, two different and unifiable terms, and given o the 
substitution that resolves the first difference between these terms, there exist Q such that 6 oo = p. 

sub_of_frst_diff_unifier_o: LEMMA FORALL (s:term, t:term I unifiable(s, t) & s /= t) : 
member(rho, U(s, t)) => 

LET sig = sub_of _f rst_dif f (s, t) IN EXISTS theta: rho = compCtheta, sig) 

In the remaining of this section the formalization of sub_of _frst_diff_unif ier_o will be ex- 
plained. 

It should be proved that 6 oo and p map each variable x in their domain, that should be the same set 
of variables, into the same terms. The formalization starts by a skolemization and then, in order to provide 
a name, p, for the position in which the first difference between terms s and t is detected, an application 
of the PVS proof command "name" is done. In this way the additional premise resolving_diff (s, 
t ) = p is included. 

{-1} resolving_dif f (s, t) = p [-2] sub_of _f rst_dif f (s, t) = sig 
[-3] member(rho, U(s, t)) 



[1] EXISTS theta: rho = compCtheta, sig) 

The proof strategy is to instantiate the existential formula in the consequent with p itself, having in 
mind that if p G U{s,t) then p € U{s\g,t\q), for any valid position ^ of 5' and t, and in particular, for the 
position of the first detected difference p. It is known that at position p, either s\p or t\p should be a 
variable; so the strategy is to analyze both possible cases. The sequent below is obtained in the case in 
which 5' I p is a variable. In this sequent x is an arbitrary variable. 
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{-1} vars?(subtermDF(s, p)) [-2] ext (rho) (subtermDF(s, p)) 

ext (rho) (subtermOF(t , p)) [-3] resolving_dif f (s, t) = p 

[-4] sub_of_frst_diff (s, t) = sig [-5] ext (rho) (s) = ext (rho) (t) 



[1] rho(x) = ext (rho) (sig(x)) 

The variable x in the consequent of this sequent appears after an application of the PVS proof com- 
mand "decompose-equality" that simplifies equality between substitutions into equality of the application 
of the substitutions to any variable: p o a = p, whenever for any x {xo)p = xp. 

The proof is obtained by case analysis: when x = s\p and when x ^ s\p, 

• In the former case, the formula X = subtermOF(s, p) is added to the antecedents. 

Note that (5'[p)a = ?|p, that is ext (sig) (subtermDF(s, p)) = subtermOF(t, p), by defini- 
tion of sub_of _f rst_dif f , and {s\p)p = {t\p)p. Then, one can conclude that {s\p)p = {{s\p)a)p. 
But, in this case, x = s\p; thus, one can complete this branch of the proof expanding the definition 
of sub_of _f rst_dif f with an application of the proof command "expand" and making simplifi- 
cations with the commands "replace" and "assert". 

• In the latter case, the sequent to be considered is presented below. Notice that the negated equality 
that characterizes this case is positively presented as a consequent of the sequent. 

[-1] vars?(subtermOF(s, p)) [-2] ext (rho) (subtermOF(s, p)) = 

ext (rho) (subtermOF(t , p)) [-3] resolving_dif f (s, t) = p 

[-4] sub_of_frst_diff (s, t) = sig [-5] ext (rho) (s) = ext (rho) (t) 
I 

{1} X = subtermOF(s, p) [2] rho(x) = ext (rho) (sig(x) ) 

In this case, note that x does not belong to the domain of substitution a, because the domain of a 
is the singleton {s\p}. Then xa = x. Therefore the equality xp = {xa)p is true, which is sufficient 
to complete this branch of the proof. 

At this point, two cases remain to be considered: the case where t\p is a variable, that is formalized 
in a way entirely analogous to the previous case, and the case where neither s\p nor t\p are variables. 

In the latter case, again one should apply that at a conflicting position of two unifiable terms it is 
impossible that none of the subterms is a variable. This result was already formalized as a lemma called 
resolving_dif f _vars. Then using this lemma and instantiating appropriately one obtains the sequent: 

{-1} p = resolviiig_dif f (s , t) => vars?(subtermOF(s, p)) OR vars?(subtermOF(t , p)) 

[-2] resolving_dif f (s , t) = p 
I 

[1] vars?(subtermOF(t, p)) [2] vars?(subtermDF(s, p)) 

In this sequent the contradiction is already established, and can be captured with a simple application 
of the PVS proof command "assert". The proof of the main lemma used in this branch of the proof, 
resolving_dif f _vars, previously mentioned, follows by induction on the structure of the term s as 
explained below. 

If 5' is a variable, the position p should be the root position empty_seq and at this position, the term 
5|e is a variable. If s is an application, the proof follows by expanding the definition of resolving_dif f 
and considering the three possible cases, namely: 

1. 5^ is a constant. Then the position of the first difference should be e and t should be a variable, 
since the terms are unifiable. 
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2. 5 is a non constant application and f is a variable. Similar to the previous case. 

3. 5^ is a non constant application and t is an application. The position p cannot be the root position. 
The sequent corresponding to this case is presented below. 

{-1} p = add_f irst (k, resolving_dif f (subtermDF(s, #(k)), subtermDF(t , #(k)))) 
[-2] FORALL (x: below [args(s) 'length] ) : 

FORALL (t: term I unif iable(args(s) ' seq(x) , t) & args(s) ' seq(x) /= t, 

p: position I positionsOF(args(s) 'seq(x) ) (p) & positionsOF(t) (p) ) : 
p = resolving_dif f (args(s) 'seq(x) , t) => 
vars?(subtermOF(args(s) ' seq(x) , p)) OR vars?(subtermDF(t , p)) 



[1] vars?(t) [2] length(args(s) ) = 

[3] vars?(subtermOF(s , p)) [4] vars?(subtermOF(t , p)) 

In this sequent the induction hypotesis, that is the antecedent formula [-2], should be instantiated 
with k - 1, in order to capture the subterm of ^l^, i.e., the {k — l)-th element of the sequence 
of arguments of the root symbol of s, args(s) 'seq(k - 1). Then, the position p equals the 
concatenation of k with the first difference between terms s\i: and t\k, here denoted as p = koq. 
By induction hypotesis either (^l/t)!^ or {t\ii)\q is a variable. But (^lyt)!^; = ^^o^ and {t\i()\q = t\i(oq, 
which concludes the proof. 

3.3 Verification of unification algorithms 

This methodology of proof of the existence of mgu's can be applied in order to formalize the com- 
pleteness of unification algorithms a la Robinson, as presented in detail in [1] for a greedy unification 
algorithm. This is illustrated in the theory robinsonunification also available inside trs as well as in a 
more recent efficient specification robinsonunificationEF (see the trs hierarchy in Fig. [T]i. 

The main functions in the theory robinsonunification are: f irst_dif f , link_of _f rst_dif f and 
robiiisoii_miif ication_algorithm whose roles are analogous respectively to the ones of the func- 
tions resolving_dif f , sub_of _frst_dif f and unif ication_algorithm. These functions are spec- 
ified in such a way that whenever unsolvable differences are detected (by the function f irst_dif f) the 
substitution "fail" is returned. This substitution is built explicitly as the substitution with the singleton 
domain {xx} and image ff (xx), where xx and ff are, respectively, a constant and a unary function. 
In this way, the substitution fail is discriminated from any other possible unifier which is built by the 
function robinson_unif ication_algorithni for all pair of terms. 

The function link_of _f rst_dif f , presented below, either builds the resolving link substitution for 
the first difference whose position is detected by f irst_dif f or returns fail. According to these two 
options, the function robinson_unif ication_algorithm, also presented below, either builds the mgu 
or returns fail. 

link_of _f rst_dif f (s : term , (t : term I s /= t ) ) : Sub = 
LET k : position = f irst_dif f (s,t) IN 

LET sp = subtermQF(s,k) , tp = subtermDF(t ,k) IN 
IF vars?(sp) 
THEN IF NOT member (sp, Vars(tp)) 

THEN (LAMBDA (x : (V)) : IF x = sp THEN tp ELSE x ENDIF) 
ELSE fail ENDIF 
ELSE IF vars?(tp) THEN 

IF NOT member (tp, Vars(sp)) 
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THEN (LAMBDA (x : (V)) : IF x = tp THEN sp ELSE x ENDIF) 
ELSE fail ENDIF 
ELSE fail ENDIF ENDIF 

robinson_unif ication_algorithm(s , t : term) : RECURSIVE Sub = 
IF s = t THEN identity 

ELSE LET sig = link_of _f rst_dif f (s ,t) IN 
IF sig = fail THEN fail 
ELSE LET Sigma = robinson_unif ication_algorithm(ext (sig) (s) , ext(sig)(t)) IN 

IF Sigma = fail THEN fail ELSE comp(sigma, sig) ENDIF 
ENDIF ENDIF 
MEASURE Card(union(Vars(s), Vars(t))) 

The theory robinsonunification consists of 47 lemmas from which 24 are TCCs. The specification 
file has 249 lines and its size is 8.6 KB, and the whole proof file has 12091 lines and 739 KB and was 
described in detail in {Y\. 

The subtheory robinsonunificationEF includes an "efficient" version of the unification algorithm in 
which after resolving each conflicting position between two terms the next conflict is searched starting 
from the position of conflict previously resolved instead from the root position of the instantiated terms 
as it is done in the theories unification and robinsonunification. The main functions found in this 
improved version of the algorithm are next_position and robinson_unif ication_algorithm_aux. 

The function next_position takes as arguments two terms and a valid position 7i of both terms, 
and returns the next conflicting position. Once all differences between the terms occurring in previous 
positions to n (left-most, outer-most) and at position n itself have been resolved, the next conflict should 
occur in a position to the right, and therefore there is no need to scan again the instantiated terms starting 
from the root position. 

The function robinson_unif ication_algorithin_aux also takes as arguments two terms and a 
position of these terms, and returns a substitution, but now in the process of unification the next conflict 
position is fetched from the first position of conflict, using the function next_position. 

next_position(s , t : term, 

p : position I positionsOF(s) (p) AND positionsOF(t) (p) ) : 
RECURSIVE position = 
IF p = empty_seq THEN empty_seq 
ELSE LET piO = delete (p,length(p) - 1) IN 

IF f (subtermDF(s,piO)) /= f (subtermDF(t ,piO) ) THEN piO 
ELSE LET pi = add_last (delete (p, length(p) - 1), last(p) + 1) IN 
IF positionsOF(s) (pi) THEN 
IF subtermOF(s, pi) /= subtermOF(t, pi) THEN pi 
ELSE next_position(s,t , pi) ENDIF 
ELSE IF piO /= empty_seq THEN next_position(s , t, piO) 

ELSE empty_seq ENDIF 
ENDIF ENDIF ENDIF 
MEASURE IF p = empty_seq THEN lex2(0,0) 
ELSE lex2(length(p) , 

arity (f (subtermOF(s, delete (p,length(p) - 1)))) - last(p)) 
ENDIF 

robinson_unif ication_algorithm_aux(s , t : term, p : position I 
positionsOF(s) (p) AND positionsOF(t) (p) ) : RECURSIVE Sub = 
IF subtermOF(s,p) = subtermOF(t ,p) THEN 
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LET pi = next_position(s , t, p) IN 
IF pi = empty_seq THEN identity 
ELSE robinson_unif ication_algorithm_aux(s ,t ,pi) 
END IF 
ELSE LET sig = link_of _f rst_dif f (subtermOF(s,p) , subtermDF(t ,p) ) IN 
IF sig = fail THEN fail 
ELSE LET pi = next_position(ext (sig) (s) , ext(sig)(t), 

p o f irst_dif f (subtermDF(s,p) ,subtermDF(t ,p) ) ) IN 
IF pi = empty_seq THEN sig 
ELSE LET Sigma = robinson_unif icatioii_algorithm_aux( 

ext(sig)(s), ext(sig)(t), pi) IN 
IF Sigma = fail THEN fail ELSE comp(sigma, sig) ENDIF 
ENDIF ENDIF ENDIF 
MEASURE lex2 (Card (union (Vars (s) , Vars(t))), Card(right_pos(s ,p) ) ) 

Formalization of correctness of this specification requires several additional effort and, in particular, 
specialized inductive proof that are based on the more elaborated measures necessaries for the previous 
two functions. 

4 Related work 

Correctness of unification algorithms has been the center of several formalizations in a variety of theorem 
provers. Starting from a formalization in LCF lITSl . other formal proofs have been given, for example, in 
Isabelle/HOL, Coq |20lll[l6l, ALF 151 and ACL2 (21). 

The earlier LCF formalization of the unification algorithm was given by Paulson [18|. Paulson's 
approach was followed by Konrad Slind in the theory Unify formalized in Isabelle/HOL from which 
an improved version called Unification is available now. Unlike other approaches, in Slind's formal- 
ization as in the presented here idempotence of the computed unifiers is unnecessary to prove neither 
termination nor correctness of the specified unification algorithm. In contrast with our textbook style 
termination proof, which is based on the fact that the number of different variables occurring in the terms 
being unified decreases after each step of the unification algorithm (Section 13. Il l, the termination proof 
of the theory Unify is based on separated proofs of non-nested and nested termination conditions and 
the unification algorithm is specified taking as basis a specification of terms built by a binary combinator 
operator (Comb). 

Recent Coq formalizations of unification algorithms were presented in lH and lfT6l . The formaliza- 
tion in [4] is part of a library called CoLoR, and the most significant difference is that here substitutions 
are specified as finite maps from unrestricted variables into general terms, whereas in CoLoR they are 
specified as functions from type variables to a generalized term structure. In [16], Kothari and Caldwell 
presented a specification of a unification algorithm for equalities in the language of simple types. This 
kind of unification has direct applications in type inference algorithms. This unification algorithm is 
proved correct by showing that it satisfies four axioms: that the computed mgu is a unifier; that it is in 
fact a most general unifier; that its domain is restricted to the set of free variables in the input equational 
problem and that the theorem of existence of mgu's holds. In a later work, the same authors showed that 
three additional axioms, being one of them idempotence of mgu's, are also satisfied. Since simple types 
are built in a language of symbols for basic types and a unique binary operator symbol, (— >), the current 
approach can be directly applied to the restricted language of simple types treated in |[T6l . An additional 
fact that makes the current formalization closer to the usual theory of unification as presented in well- 
known textbooks (e.g., |[T7l l2l). is the decision to specify terms as a data type built from variables and 
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the operator app that builds terms as an apphcation of a function symbol (of a given arity) to a sequence 
of terms with the right length. In this way, substitutions were specified as a function from variables to 
terms and the construction of the homomorphic extension results straightforward. 

Earlier related work in Coq includes [201, where an algorithm similar to Robinson's one was extracted 
from a formalization that uses a generalized notion of terms, that uses binary constructors in the style of 
Manna and Waldinger, whose translation to the usual notation is not straightforward. More recently, in 
[7], a certified resolution algorithm for the propositional calculus is extracted from a Coq specification 
that requires unification of propositional expressions. 

In in a formalization of a first-order unification algorithm is given. The main difference with the 
current formalization is that here one defines the application of a substitution to a term only by recursion 
on the term, and there the author defines the application of a substitution to a term in two ways: by 
recursion on the term (parallel application) and by recursion on the substitution (sequential application). 
Thus, for a given substitution and a given term, the application of the substitution to the term might 
result in different terms, depending on whether one follows the definition of the parallel application or 
the sequential application. However, both applications give the same result for idempotent substitutions. 
In other words, unlike the current approach, idempotence of the computed unifiers is necessary to prove 
the correctness of the specified unification algorithm. 

In |[2TI a formalization of the correctness of an implementation of an 0{n^) run-time unification al- 
gorithm in ACL2 is presented. The specification is based on Corbin and Bidoit's development [8] as 
presented in [2] in which terms are represented as directed acyclic graphs (DAGs). The merit of this 
formalization is that by taking care of an specific data structure such as DAGs for representing terms, the 
correctness proof results much more elaborated than the current one. But in the current paper, the focus is 
to have a natural mechanical proof of the existence of mgu's, that is the strictly necessary in a formaliza- 
tion of the correctness of the Critical Pair Knuth-Bendix theorem. Although the representation of terms 
is sophisticated (via DAGs), the referred formalization diverges from textbooks proofs of correctness of 
the unification algorithm in which it is first-order restricted. In fact, instead representing second-order 
objects such as substitutions as functions from the domain of variables to the range of terms, they are 
specified as first-order association lists. In our approach, taking the decision to specify substitutions as 
functions allows us to apply all the theory of functions available in the higher-order proof assistant PVS, 
which makes our formalization very close to the ones available in textbooks. 

As mentioned in the introduction, as part of the PVS theory trs presented in fTT] there are formal- 
izations of non-trivial results on rewriting, such as the well-known Knuth-Bendix Critical Pair Theorem, 
that requires the theorem of existence of mgu's. The style of formalization of existence of mgu's can be 
followed in order to verify the soundness and completeness of unification algorithms a la Robinson, as il- 
lustrated in [1] for a greedy algorithm. The proof methodology used to prove termination and soundness 
in the formalization of the theorem of existence of mgu's is adapted in order to verify the correctness of 
unification algorithms as described in Q. 

5 Conclusions and Future Work 

A formalization developed in the language of the proof assistant PVS of the theorem of existence of 
mgu's was presented. This formalization is close to textbooks proofs and was applied to present a 
complete formalization of the well-know Knuth-Bendix Critical Pair theorem. The methodology of 
proof can be directly applied in order to certify the correctness of first-order unification algorithms a la 
Robinson. 
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As future work, it is of great interest the extraction of certified unification algoritiims alone or in 
several contexts of its possible applications such as the ones of first order resolution and of type inference. 
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